Participants Discuss Human Rights Dimensions of Cybersecurity, Cyber Armament and Disarmament, Accountability and Regulation of Cyberspace, and the Road Ahead in Advancing International Processes and Reconciling Diverse Views on Cybersecurity
19 December 2017
A session on empowering global cooperation on cybersecurity for sustainable development and peace was held at the twelfth Internet Governance Forum this afternoon. Setting the scene, the panellists raised the issues of best practices in linking cybersecurity and development, a development-centred framework for cybersecurity, human rights perspectives on cybersecurity, and the role developing countries could play in enhancing global cooperation on the issue. Stakeholders’ roles and responsibilities were discussed – governments, civil society, technology industry, and the United Nations, as well as the road and challenges ahead, including the application of international law in cyberspace.
In his opening statement, Frank Grutter, Head of the Division for Security Policy at the Federal Department of Foreign Affairs of Switzerland, noted that discussions on cybersecurity usually drew high participation by government representatives and that it would be useful to get different perspectives and fresh ideas. Geneva was a good place to facilitate such an exchange with its many experts on digitalization. Mr. Grutter expressed hope that the very diverse panel would allow for inspirational ideas on cybersecurity.
In introductory remarks, the session moderator, Olusegun Hamed Olugbile, Chief Executive Officer of Continental Project Affairs Associates and Member of Nigeria’s Cybercrime Advisory Council, said that the failure of global actors to live up to their commitments on global cooperation on cybersecurity and preservation of the stability of the Internet was a threat to the achievement of the 2030 Agenda. Cooperation on cybersecurity was taking place in various institutional frameworks operating in silos, and those were yet to be translated into a meaningful global course of action.
Identifying the Issues: Cybersecurity and the Sustainable Development Goals, Development-Centred Framework, Human Rights Dimensions, Role of Developing Countries and Local Perspectives
Speaking about the link between cybersecurity and the achievement of the Sustainable Development Goals, Maarten Van Horenbeeck, Director of the Forum for Incident Response and Security Teams, noted that some of the areas where adequate policies could ensure actively supporting development ranged from securing the reliability of an access to Internet services, and ensuring that systems were in place to avoid abuse by authorities, to promoting a secure development process. A big challenge ahead was to identify and define the responsibility of stakeholders, and only reinforced stakeholder cooperation would be able to respond – no single stakeholder could go it alone.
On the development-centred framework for cybersecurity, Anita Gurumurthy, Executive Director of the IT for Change, India, explained the thinking based on the concept of human security which incorporated freedom from fear and freedom from want, and wondered whether there could be a framework of cybersecurity sustainability inspired by what the Agenda 2030 called “universal peace in larger freedom”. Civil space was being increasingly constrained by the use of technologies for surveillance, intimidation and silencing, therefore an urgent global compact on cyber sustainability was in order, and people and civil society organizations must claim the contours of such an agreement.
Valeria Betancourt, Communication and Information Policy Programme Manager, Association for Progressive Communications in Ecuador, said that cybersecurity was a human rights issue because it concerned people offline and online. The dominant narrative that pitted human rights against cybersecurity had to be dislodged: they were synergistic and deeply interrelated and overlooking those connections led to human rights abuses, such as massive surveillance, censorship, intimidation and silencing, Internet shutdowns, and harvesting of personal data. The perception that cybersecurity was about technology must be overcome, and it must be remembered that the Internet was a global resource that must be governed by all stakeholders.
Jimson Olufuye, Chairman of the Africa ICT Alliance, highlighted the negative effects of the loss of data and cyberattacks on confidence in the global Internet economy through which many nations were lifting their people out of poverty. In order for developing countries to enhance global cooperation on cybersecurity for sustainable development and peace, they should create awareness among their citizens of the ramification of cybersecurity instruments, and ratify the African Union Convention on Cybersecurity and Data Protection, which only two out of 54 African States had done so far.
Uche Mbanaso, Executive Director of the Centre for Cyberspace Studies, Nasarawa State University, Nigeria, addressed the challenges with regard to cybersecurity in Africa, and said that Africa could not be isolated from the threats to cyberspace, especially as investments in cybersecurity were rather low and it was a soft target for cyber criminals. Africa needed coordinated and focused research in which governments, academia and the private sector would work together, but research was undermined by low funding and in particular the lack of perception on the potential dangers.
The ensuing discussion focused on the question of benefits and opportunities that global discussions on cybersecurity offered to developing countries, with speakers noting that this was indeed a developmental issue, and emphasising that global norms would help developing countries to put in place strategies and measures to protect themselves against cyberattacks, which had a very detrimental impact on development gains.
Stakeholders Roles and Responsibilities: Fostering Cooperation between Governments, Civil Society, Tech Community and the Academia, the Role of the United Nations and Global Processes
Mohammed Tanimu Abdullahi, Brigadier General at the Presidential Communication Command and Control Centre of Nigeria, said that the Nigerian cybersecurity strategy outlined the Government’s response in terms of policies and strategies on cybersecurity. A response team had been set up to respond to patterns of cybercrime. Governments of developing countries first of all needed to build capacities, while observing the principles of international cooperation and core United Nations values.
Carmen Gonsalves, Head of International Cyber Policy at the Ministry of Foreign Affairs of the Netherlands, stressed that only a small part of the Internet infrastructure was owned by the government sector, which was why it was so important to include private stakeholders in discussions about cybersecurity. That was why the Netherlands had taken part in the establishment of the Global Commission on the Stability of Cyberspace.
Daniel Stauffacher, President of ICT4Peace Foundation from Switzerland, stated that it was advisable that countries start implementing the recommendations of the Group of Governmental Experts. It was encouraging that corporate actors were assuming social and global responsibilities in that respect. Civil society could serve as a test bed for proposals by governments and the private sector. More non-governmental organizations should get engaged in the debate on cybersecurity.
Audrey Plonk, Senior Director for Global Cybersecurity and Internet Governance Policy at Intel Corporation, noted that the business sector shared a responsibility to ensure a safe Internet. As builders and operators, businesses had a responsibility to build safe and better products. They had a role to play in the engagement within the global multi-stakeholder community in order to build a more stable cyberspace.
Marco Obiso, Cybersecurity Coordinator at the International Telecommunication Union, noted that the questions and answers about cybersecurity were more or less the same. There was a need to redefine the way in which the multi-stakeholder dialogue was taking place. One of the fundamental questions was achieving a consensus on the binding or voluntary nature of agreements on cyberspace. That consensus was, unfortunately, not taking place.
Andrey Krutskikh, Ambassador-at-Large, Special Representative of the President of Russia for International Cooperation in Information Security, noted that to-date the Internet Governance Forum had focused on social and humanitarian issues in the domain. The world was moving to a great cybersecurity confrontation, but the international community had not yet decided how to apply international law, and who should apply it. Commenting on the proposal for the Geneva Digital Convention, Mr. Krutskikh said that it could list what was and what was not allowed in cyberspace.
Sarah Taylor, Director of the Cyber National Security Directorate, Foreign and Commonwealth Office of the United Kingdom, recalled that the London Process had been designed to get cybersecurity, increasingly of a strategic peace and security importance, on the agenda of governments beyond communication ministries; emphasise that cyberspace was not unregulated, as international law, including the United Nations Charter, applied; and challenge the governments to identify what they were protecting with their cybersecurity policies and urge them to acknowledge the new paradigm of international security which called for the participation of other stakeholders, not just governments talking to each other.
The Chair of the Global Commission on the Stability of Cyberspace, Marina Kaljurand, said that the Commission had been created in March 2017 to contribute to international peace and security by developing norms to ensure cyber stability – an ideal state where all stakeholders could enjoy the benefits of cyberspace without fear. The first norm had been issued recently, on the protection of the public core of the Internet; it was voluntary and non-binding but norms could lay the groundwork towards a binding international agreement.
In the discussion that followed, the audience asked about strengthened cooperation within the Forum, ways to facilitate dialogue on the most urgent issues, cooperation with other organizations and platforms on best practices, and how the international community could pinpoint norms of cybersecurity that promoted development. Responding, some panellists noted that the international community should not immediately jump to adopting binding principles of cybersecurity; others reminded of all the fora in which international cooperation on cybersecurity was taking place. Some norms had already been recognized, they said, namely in international law; this must not necessarily lead to a new law or a treaty.
The Road Ahead: Advancing the International Processes on Cybersecurity, Ensuring the Rule of Law in Cyberspace, Reconciling Diverse Views on Cybersecurity
Anja Kaspersen, Director of the United Nations Office for Disarmament Affairs Geneva Branch, spoke about challenges to the one-size-fits-all approach to disarmament, namely archaic rules and practices. The enabling nature of cyberspace meant it was vulnerable to attacks. The threat of cyberattacks on nuclear facilities and the phenomenon of weaponizing information were concrete concerns. Multiple artificial intelligence weapons were being increasingly applied triggering deep ethnical concerns. There had to be an agreement on what a responsible country could and could not do in cyberspace.
Jan Neutze, Director of Cybersecurity at the Microsoft Cooperation, said that in the world which was rapidly embracing digitization, people would not use technology they did not trust, which called for a free, open, stable and secure cyberspace. It was clear that conflicts between governments were expanding in cyberspace where a new cyber arms race was underway; it would be a mistake to think that private companies could prevent or stop a cyberattack any more than any other form of a military attack. Microsoft had called in the proposed new Digital Geneva Convention on governments to do more to protect citizens from cyberattacks; on industry to do more, focus on defence and help all customers feel secure, equally; and to hold accountable those actors that violated international norms.
Cybersecurity was a part of national and international security, for which the cooperation of other stakeholders - particularly in identifying how to apply international law in cyberspace - was crucial, stressed Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace. The issue at hand was not only about access to technology but also about values and norms, and human rights which were applicable online as they were offline. It was of vital importance to start answering the question of the applicability of international law in cyberspace.
Asked what the role of civil society could be in taking forward the aspects of international cybersecurity, Daniel Stauffacher, President of ICT4Peace Foundation, Switzerland, said there was a scope to contribute to processes on international cybersecurity; it could do a lot in working with users of cyberspace, and also cooperating with the private sector in identifying their concerns. Civil society could also reach out to parliaments and influence policy and law making on cyberspace and cybersecurity in countries.
Uche Mbanaso, Executive Director of the Centre for Cyberspace Studies, Nasarawa State University, Nigeria, said that education providers had a vital role to play in developing a global culture of cybersecurity, in particular by providing education that was adapted to the needs of users, from basic and fundamental education, to a specialized one. There must be a rethink on how to include education on cyberspace in the educational system.
Valeria Betancourt, Communication and Information Policy Programme Manager, Association for Progressive Communications in Ecuador, stressed that applying recommendations by various international fora could be a good first step in ensuring a human rights-based approach to cybersecurity policy. There must be accountability of States for their cyber offence and defence capacities, and for investing in technologies which restricted the human rights of users, and which did not contribute to peace and security.
Debate and Final Comments
Participants asked about the enforceability of norms or even a future treaty; whether it was possible to address the issue of cyber disarmament; stressed the need to focus on the most important topics and to put in place the required process, and wondered how the Forum could do something it had never done before; and how youth could contribute to a safe cyberspace ecosystem. What could be done to include in the conversation those not included, primarily the future generations, and the unconnected, some 3.9 billion, most of whom were women?
Panellists noted that convincing States to step back from developing cyber arms would be indeed a challenge, and emphasised positive experiences from the conventional arms arena where much could be learnt from the application of various treaties in that area. The discussions on the destructive nature of cyber arms must continue, and governments must be transparent about their cyber capabilities and the rules governing the use of those capabilities. There must be a broader involvement of the peace building community - the civil society organizations that worked on peace. On enforcing responsible behaviour in cyberspace, panellists emphasised the importance of primary capacity building, as well as building capacity in legal and political spheres. Another noted that it was not possible to have a global solution for everything and stressed individual responsibilities of States, industry and citizens.
In conclusion, Lynn St. Amor, Chief Executive Officer at Internet Matters, said that the Internet Governance Forum was not a place for making decisions, but its discussions clearly informed actions at the national and regional level; the fact that it was not mandated to make decisions did not lessen the value of its work. Fast policy did not necessarily lead to quality policy, she said.
Frank Grutter, Head of the Division for Security Policy at the Federal Department of Foreign Affairs of Switzerland, concluded by saying that rewards for coming closer to a normative framework on cyberspace would be very high, and stressed that all the building blocks of a normative framework for cyberspace had to be firmly anchored in international law and the United Nations Charter. Despite varying priorities, different stakeholders were united in wanting a cyberspace that was open and secure for all.
The Internet Governance Forum will continue its programme of sessions and workshops on Wednesday, 20 December (the programme for the day is available here). The highlights include a session Dynamic Coalitions: Contribute to the digital future! (10 a.m. in Room XVII). Dynamic Coalitions are the Forum’s longest-standing community groups and they will present topics they cover, including accessibility and disability, Internet of Things and block chain technologies, publicness and core Internet values.
The session titled NRIs perspectives: Rights in the digital world (11.30 a.m. in Room XVII) will discuss extensively the notion of rights in the digital world, their importance and current practices in different countries and regions of the world. At 4 p.m. in Room XVII, the session Gender inclusion and the future of the Internet will strive to answer the question: what does it mean to integrate gender into Internet governance processes?
For use of the information media; not an official record